Topic: Regarding passwords (Read 2726 times)

Exactly. That's how I generated the example passwords. First thing you see is that special characters come pretty much more often than in most user-chosen passwords.

In plain 7-bit ASCII there are:
- 26+26 letters
- 10 digits
- 32 special characters

This means that on average only 55.3 % of characters should be letters and 34.0 % should be special characters.



/dev/random on modern Linux systems is way better than dice you get in toy shops.

Certain configurations of the characters are much less likely than others. It would be better to randomize each character individually.

For my master passwords, I roll physical dice to get the randomness. Less secure passwords can use /dev/random. Additional hashing isn't necessary: /dev/random is already mixed using hashing.

But I have another tip for you: You can use it as strength meter by chosing each character at random. This means each possible character must have the exact same probability and this should not depend on previous characters.

Some passwords that meet this standards:

You already received such an opinion and then disregarded it.

I have nothing further to add. You win.

Gibson's calculator is not a password strength meter. There is an explicit disclaimer, dude!


You prefer authority over arguments? Authorities will tell you to stop using bitcoin.

How about you guys who are saying that b1Ackb0x3!1 is not strong drop it into a sign-up page somewhere to *any* site that checks password strength and see what it says?

Better idea, since I could maybe guess what your response will be — those sites don't take leetspeak into account — is there someone who actually cracks passwords for a living who would comment on it? Now, I know that if there is someone here who actually does do that for a living they are not likely to admit it, but I'm just interested in a "professional" view.

If you examine the 4.9-million-word "Ultimate Password List" at http://area51archives.com/index.php?title=Ultimate_Password_List (15MB .rar file that unpacks into 6 text files), here are the alphabetical entries around "b1", which is how b1Ackb0x3!1 starts. Why would a hacker zero in on that area if he had *no information at all* about the password?

b‚vue
b's
b'tje
b-52's   
b-ball
b-dur
b-spline
b.c
b0
b1
b2
b21
b3
b4
b43
b5
b52's   
b6
b7
b8
b9
ba

I think a hacker would first use a password list like this. After failing with the password list he would resort to a brute force attack if he was *really* determined to get at that specific account using a computer-based approach and not social engineering or a rubber-hose attack. Plugging b1Ackb0x3!1 into Steve Gibson's Interactive Brute Force Password “Search Space” Calculator at https://www.grc.com/haystack.htm gives 1.83 billion centuries as the time required to exhaustively search that password's space in an online attacking scenario, 18.23 centuries in an offline fast attack scenario, and 1.83 years in a hypothetical "massive cracking array" scenario at a hypothetical one hundred trillion guesses per second.

If you are going to latch on to that "1.83 years" and say, "See, told you, it's not strong," well. . . .

That's my point. Because some guys in this thread claimed their similar passwords to be strong.

It doesn't really matter, since b1Ackb0x3!1 is not a strong password to begin with.

Some passwords weren't hashed with a modern method. But the one above (which refers to b1Ackb0x3!1) was.

OK, thank you.

Then I don't understand the point you were making with "Some passwords weren't hashed with a modern method. But the one above was." Could you amplify?

No, b1Ackb0x3!1 was hashed with the modern method. You can just look at the dump.

If you are saying that my tropz49 password was not cracked because it was hashed with a modern method, and b1Ackb0x3!1 was cracked because it was hashed with an old-fashioned method, then would that mean that — in your opinion — I8Lik#PuDD!ng8§ would be secure if hashed with a modern method but not with that old-fashioned method?

Some passwords weren't hashed with a modern method. But the one above was.

You are assuming that b1Ackb0x3!1 was cracked by a brute force approach. My pathetic Mt Gox password  consisted of solely five lower case letters and two numbers, seven characters total, and it wasn't cracked. Has anyone given a good explanation of why certain Mt Gox passwords were cracked and others weren't?

It's not secure because modern password crackers assume your password will be a series of words, and try "31337 speak" combinations such as substituting 3 for e, adding a few random characters on the end, etc. This approach is much faster and can crack such a password in days or even hours.

Steve Gibson's site says:http://forum.bitcoin.org/index.php?topic=23705.msg302468#msg302468

A password like I8Lik#PuDD!ng8§ is not secure? You have got to be kidding. Steve Gibson's calculator at https://www.grc.com/%5Chaystack.htm gives the time to exhaustively search this password's space assuming one hundred billion guesses per second at 1.49 billion centuries.

How is a password like this not secure?

if you look thru that list of mtgox passwords that got hacked its amazing how many derivations of that exact password there actually was.

+1 to the aboves. Keypass saved my Mt gox password once already (thank the fsm I gained some insight through the forum and changed it a few days earlier). Since keypass also accepts not only ascii keyboard inputs for the main password, it may be a nice idea to also add another non ascii keyboard language and switching to that one, write any set of words you can remember quickly (lyrics, etc) with spaces and whatnot. I am guessing that this should provide quite a safe string of characters, very easy to remember. Take care.